NAT + (libnfqueue || libipq): There are some documents about it?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Sorry, my e-mail client doesn't follow the "Reply-To" header... So, it
has been sent to Eric instead of being sent to the list. The message
follow bellow.


---------- Forwarded message ----------
From: Bruno Moreira Guedes <thbmatrix@xxxxxxxxx>
Date: 2009/6/2
Subject: Re: NAT + (libnfqueue || libipq): There are some documents about it?
To: Eric Leblond <eric@xxxxxx>


2009/6/1 Eric Leblond <eric@xxxxxx>:
> Hi,
>
> Le dimanche 31 mai 2009 à 20:05 -0300, Bruno Moreira Guedes a écrit :
>> 2009/5/27 Bruno Moreira Guedes <thbmatrix@xxxxxxxxx>:
>> > 2009/5/26 Eric Leblond <eric@xxxxxx>:
>> >> Hi,
>> >>
>> >> Le mardi 26 mai 2009 à 01:53 -0300, Bruno Moreira Guedes a écrit :
>> >>> Hi all,
>> >>>
>> >>> I need to do some tasks about translating address in user-space. So, I
>> >>> first tried using libipq because it seems to me a library present in a
> ...
>> But, even with the right checksum it doesn't work as expected(by me).
>> The packet seems like I dropped it instead of accepting it. So, I ask:
>> does netfilter "retranslate" the packet answer for me? For example:
>>
>> 1) I receive in the nat::POSTROUTING a packet and jump it to QUEUE or NFQUEUE;
>> 2) By jumping it to QUEUE or NFQUEUE, the packet is sent to user-space
>> and "received" by nfnetlink library
>> 3) So, it "goes" to the my code through ipq/nfqueue, which changes the
>> source addr from 1.1.1.1 to 2.2.2.2
>> 4) My code sets the verdict NF_ACCEPT
>> 5) The packet is sent to its destiny (by example 2.2.2.3)
>> 6) The host 2.2.2.3 send me a ACK, and the IP header has source
>> address 2.2.2.3, and destiny address 2.2.2.2
>>
>> And so, netfilter will automatically make a "answer DNAT" in the ACK
>> by changing its destiny to 1.1.1.1 and sending it to the 1.1.1.1 host,
>> or it'll simply accept the packet as it seems to be for the local
>> machine??
>
> If you accept the packet in POSTROUTING nat, it will discard any NAT
> action done after the NFQUEUE rule. Thus you will need to do NAT by
> yourself.

Do you have any hint to do the NAT by myself? Where do I start? Thank
you in the advance.

>
> If you want to see what happens, I suggest to run "conntrack -E" when
> doing test. It will show you what the connection tracking is doing.
>
> BR,
> --
> Eric Leblond <eric@xxxxxx>
> INL: http://www.inl.fr/
> NuFW: http://www.nufw.org/
>
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux